Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") describes how Lawnify ("we", "us", the "Controller") collects, processes, and protects the personal data of our users ("you", "Data Subjects") when you use the Lawnify lawn care planning service. As the data controller, Lawnify determines the purposes and means of processing your personal data and is committed to handling it responsibly and in compliance with applicable data protection laws.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, including name, email address, location data, photographs, and payment information.
Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
Data Subject: An identified or identifiable natural person whose personal data is processed — in this context, Lawnify users.
Controller: The entity that determines the purposes and means of processing personal data. Lawnify acts as the Controller for your data.
Processor: An entity that processes personal data on behalf of the Controller. Our sub-processors (listed in Section 5) act as Processors.

3. Data We Process

We process the following categories of personal data in order to provide and improve the Lawnify service:

Account Information: Name, email address, and profile picture obtained via Google OAuth sign-in.
Lawn Photos: Images of your lawn uploaded for AI analysis, grass identification, and care plan generation.
Location / ZIP Code: Your geographic location used to determine climate zone, local grass species, and seasonal care schedules.
Payment Data: Billing information processed securely through Stripe for subscription and marketplace transactions. Lawnify does not store full credit card numbers.
Usage Data: Information about how you interact with the service, including pages visited, features used, task completion, and device/browser metadata.

4. Processing Purposes

Your personal data is processed for the following purposes:

Service Delivery: Providing personalized lawn care plans, task scheduling, and lawn health monitoring.
AI Analysis: Processing lawn photos through AI models to identify grass types, detect issues, and generate care recommendations.
Marketplace Matching: Connecting homeowners with qualified lawn care service providers based on location and service needs.
Billing: Processing subscription payments and marketplace transactions through our payment processor.
Notifications: Sending service-related emails including task reminders, care alerts, and account updates.

5. Sub-processors

We use the following third-party sub-processors to deliver the Lawnify service. Each processes data only as necessary for their stated purpose:

Sub-processor	Purpose
Cloudflare	Hosting, CDN, edge computing, and AI inference (Workers AI)
Stripe	Payment processing for subscriptions and marketplace transactions
Google	User authentication via Google OAuth
Resend	Transactional and notification email delivery
Cloudflare R2	Object storage for lawn photos and uploaded images

6. Data Transfers

Your data is primarily processed in the United States. However, because Lawnify is hosted on Cloudflare's global network, certain data (such as cached assets and edge-computed responses) may be processed at Cloudflare edge locations worldwide to optimize performance and reduce latency. All data transfers are protected by encryption in transit and are subject to our sub-processors' respective data protection agreements.

7. Security Measures

We implement the following technical and organizational measures to protect your personal data:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
Authentication via OAuth: We use Google OAuth for authentication, avoiding the need to store passwords directly.
Database Access Controls: Access to production databases is restricted to authorized personnel and services, with role-based access policies.
Image Compression Before Storage: Lawn photos are compressed and optimized before being stored, reducing the amount of data retained and limiting exposure.

8. Data Subject Rights

You have the following rights regarding your personal data:

Right of Access: You may request a copy of the personal data we hold about you.
Right to Rectification: You may request correction of inaccurate or incomplete personal data.
Right to Erasure: You may request deletion of your personal data, subject to any legal retention obligations.
Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.

To exercise any of these rights, please contact us at:

Email: privacy@lawnify.io

We will respond to your request within 30 days.

9. Data Retention

Account Data: Retained for as long as your account is active. Upon account closure, your personal data will be deleted within 30 days, except where retention is required by law.
Lawn Photos: Retained for as long as needed to deliver the service (e.g., care plan generation, historical lawn tracking). Photos are deleted when you delete your account or remove them manually.
Usage Data: Aggregated and anonymized usage data may be retained indefinitely for analytics and service improvement purposes.

10. Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Lawnify will notify affected users within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

11. Contact

If you have any questions about this Data Processing Agreement or how we handle your personal data, please contact us at:

Email: privacy@lawnify.io